Skip to content

Contrast Labs: Jenkins Maven HPI Plugin Exposes Developer Laptops

    
Contrast Labs: Jenkins Maven HPI Plugin Exposes Developer Laptops

If you are like the development team at Contrast Security and build Jenkins plugins, then you probably find value in the maven-hpi-plugin. The Jenkins Maven HPI Plugin hpi:run target initializes a local Jetty HTTP server with the current plugin project for development testing. This enables plugin developers to quickly prototype and test without deploying plugins to a separately managed instance.

However, during a penetration test, we found this exposes the Jenkins web application on all interfaces with no authentication by default. Any adversary on the same network can access the script console and compromise the running machine.

jenkins-maven-HPI

Jenkins Script Console Command Execution

Ideally, the plugin should configure Jetty to listen on localhost only by default, and provide configuration options and documentation in the event a user wants external hosts to access the Jenkins instance. Contrast Labs reported this issue to the Jenkins team since no configuration option was available to disable listening on all interfaces.

No CVE or formal notice was created since this issue only affects developers and not users. Starting in Jenkins 2.223, the plugin should only listen on the loopback interface (localhost) by default, unless the configuration option -Dhost=0.0.0.0 is specified.

  • 11/18/2019: Issue reported to Jenkins (SECURITY-1667)
  • 2/13/2020: Follow up with Jenkins
  • 3/4/2020: Notice sent to DEV mailing list
Dan Amodio, Security Researcher

Dan Amodio, Security Researcher

Dan grew up tinkering with computers and learning about hacking and programming, and he somehow made a career out of it. He has worked on information security issues—from application security to red teaming—with some of the largest companies across the globe. Outside work he enjoys music, games, and family time.